I have Mikrotik device which controls 200 proxies.
Each proxy has its own private ip (172.16.0.2-> 172.16.0.201), each proxy go out internet on each pppoe-out2->pppoe-out201
I don’t want users who use proxies as ddos node.
I need to limit users to create multiple connections on one public ip, for example, ip 172.16.0.x can not create over 20 connections to ip whatever-vitim.com
Could I do this with Mikrotik?
I create rules like this
:for i from 2 to 201 do={/ip firewall filter add action=drop chain=forward connection-limit=30,32 connection-state=established,new protocol=tcp src-address=("172.16.0." . $i) tcp-flags=syn;}
then I create 10 fool connections to 10 different ip → mikrotik drop all current connection → this is not my need
Limiting the number of connections per local or public IP is a common practice to prevent abuse, protect server resources, and enhance security. The exact method to implement this restriction depends on the type of server and the software or hardware you are using. Below, I’ll provide a general approach for implementing connection limits on both local and public IPs.
Using Firewalls (for Public IP):
Iptables (Linux):
Iptables is a common tool for managing firewall rules on Linux servers. You can use it to limit the number of connections from a specific IP address.
To limit the number of connections for a specific IP (e.g., 192.168.1.100), you can use a rule like this:
css
Copy code
iptables -A INPUT -p tcp -s 192.168.1.100 --syn --dport 80 -m connlimit --connlimit-above 10 -j REJECT
This rule limits the number of incoming connections from IP 192.168.1.100 to 10.
Windows Firewall (Windows Server):
On Windows Server, you can use the built-in Windows Firewall.
Go to “Windows Defender Firewall with Advanced Security” and create an inbound rule.
In the rule properties, you can set the “Connection Security” tab to limit connections.
Web Server Configuration (for Public IP):
Nginx:
In the Nginx configuration file (usually located at /etc/nginx/nginx.conf or /etc/nginx/sites-available/default), you can use the limit_conn module to limit the number of connections per IP.
Example:
nginx
Copy code
http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_conn conn_limit_per_ip 10;
}
Apache:
In the Apache configuration file, you can use the mod_evasive module to limit the number of connections per IP.
Example:
apache
Copy code
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Using Application Code (for Local IP):
Application-Level Code (e.g., in Python):
In your application code, you can implement IP-based connection limiting. For example, in a Python web application, you can use a dictionary to keep track of the number of connections per IP.
If you’re using a web framework like Flask, you can create a middleware to check and limit connections.
Here, we’ve covered both firewall-level and web server-level methods to limit connections, and application-level methods for local IP. The exact implementation may vary based on your specific server setup and requirements. Always be cautious when implementing connection limits, as overly strict restrictions can impact legitimate users. Test your configuration thoroughly to ensure it meets your goals without causing unintended issues.